Professional Documents
Culture Documents
Hardware: Includes servers, computers, routers, switches, and data storage devices.
Software: Encompasses operating systems, applications, and security tools.
Data: The core element, including databases, files, and multimedia.
Networks: Communication systems like LAN, WAN, and the internet.
People: Users, IT staff, and management who interact with the system.
Processes: Procedures and policies governing the use and security of the system.
User Productivity: Excessive security measures can hinder user efficiency and
productivity.
System Usability: Maintaining a user-friendly environment while ensuring security.
Data Accessibility: Ensuring that data is available to authorized users when needed.
Threat Mitigation: Balancing the need to protect against potential security threats.
Regulatory Compliance: Meeting legal requirements without overburdening system
access.
UNIT-2
International Bodies:
Interpol: Facilitates international police cooperation.
International Organization for Standardization (ISO): Develops standards like ISO/IEC
27001 for information security management.
United States:
Federal Trade Commission (FTC): Enforces laws against deceptive and unfair business
practices.
National Institute of Standards and Technology (NIST): Develops cybersecurity standards
and guidelines.
European Union:
European Data Protection Board (EDPB): Oversees the application of the General Data
Protection Regulation (GDPR).
3. Identify the key element in the process of risk identification in information security.
Asset Identification: Recognizing what needs protection, such as data, hardware, and software.
Threat Recognition: Identifying potential threats that could exploit vulnerabilities.
Vulnerability Assessment: Determining weaknesses in the system that could be exploited.
Environmental Study: Understanding the external and internal environment that could impact
security.
4. Define the common risk control strategy used in information security.
Preventive Controls: Aimed at preventing security incidents (e.g., firewalls, access controls).
Detective Controls: Designed to detect and identify security incidents (e.g., intrusion detection
systems).
Corrective Controls: Implemented to correct any issues after a security incident (e.g., patch
management).
Deterrent Controls: Intended to discourage security violations (e.g., security policies, legal
consequences).
5. What is the main difference between quantitative and qualitative risk control practices?
Quantitative: Involves numerical values and metrics to assess risk (e.g., statistical methods, cost-
benefit analysis).
Qualitative: Based on subjective analysis and expert opinions (e.g., risk matrices, scenario
analysis)
6. Explain the professional issue commonly faced in the field of information security.
dentifying Potential Risks: Understanding the threats and vulnerabilities that could impact the
organization.
Evaluating Impact and Likelihood: Assessing the potential impact and likelihood of identified
risks.
Prioritizing Risks: Determining which risks need immediate attention and resources.
Informing Risk Mitigation Strategies: Guiding the development of strategies to mitigate or
accept risks.